Definition
NIP-07 defines a standard window.nostr object that a browser extension injects into web pages, giving websites a controlled way to request Nostr operations without ever receiving the user's private key. It is the Nostr equivalent of a hardware-wallet boundary applied to web apps: the page asks, the extension signs.
The interface
The required methods are getPublicKey(), which returns the user's public key as hex, and signEvent(event), which takes an event object and returns it populated with id, pubkey, and sig. Optional methods include getRelays() and encryption helpers under nip04 (deprecated) and nip44. Extensions are advised to inject at document_end so that window.nostr is available before page scripts run, avoiding race conditions.
Why it matters for key security
Without NIP-07, a web client would need your secret key pasted into the page, exposing it to any script or compromise on that site. NIP-07 inverts that: the signing key stays inside the extension's isolated context, and the page only ever receives signed results. This keeps a single key usable across many Nostr apps while keeping each app at arm's length from the secret material.
For remote-wallet control with the same trust-minimizing spirit, see Nostr Wallet Connect (NIP-47), and for verifiable identity tied to that key see NIP-05. D-Central covers NIP-07 as part of self-custodied Nostr usage.
In Simple Terms
NIP-07 defines a standard window.nostr object that a browser extension injects into web pages, giving websites a controlled way to request Nostr operations without ever…